For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mattsthe2_59142's avatar
mattsthe2_59142
Icon for Nimbostratus rankNimbostratus
Jul 10, 2015

ICAP with iRule Response Page

We are running version 11.6

 

We originally had ASM configured to send files to a Symantec server for scanning and if a Virus was detected the ASM would display the Blocking Response page. (all good so far). Except the limitation with ASM is a 30Meg limit, our customer wants to upload larger files.

 

After contacting several Reps at F5 we were told that LTM ICAP has no limit and it was best for us to use LTM for ICAP feature and use ASM for the response page and event logging.

 

So we configured ICAP in LTM using this link: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/12.html

 

It looks like virus files are being blocked however using LTM-ICAP, can't seem to trigger a response page.

 

Is this even possible ?

 

application delivery
ASM Advanced WAF
icap
LTM
security

7 Replies

  • arpydays's avatar
    arpydays
    Icon for Nimbostratus rankNimbostratus
    Jul 12, 2015

    Same deal here, we were told we could use LTM ICAP and tie it in with custom ASM violations. We were thinking about capturing the ICAP_Response error and passing this to ASM triggering a custom violation after the ASM_REQUEST_END event. I think the problem is that the ASM event will fire before the ICAP_Response as the ICAP irule is on the Internal VS, which processes the request after the HTTP VS, I'll have a chat to F5 about this in the week.

     

  • mattsthe2_59142's avatar
    mattsthe2_59142
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2015

    Yeah i contacted support and they didnt help so im going back to our F5 account team.

     

    I'll keep you posted on anything i hear and if you could do the same I'd appreciate it.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jul 14, 2015

    ASM triggers after request adapt profile(aka ICAP). I have preliminary have created an iRule that works on detecting some ICAP results and then works in conjunction with ASM to raise custom violation - but I do need to test some more variants of it before I post something here for sharing. Stay tuned though!

     

  • Andras_Kis-Szab's avatar
    Andras_Kis-Szab
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2016

    The ICAP URL should be:

    uri icap://${SERVER_IP}:${SERVER_PORT}/AVSCANREQ\?action=scan

    The SYMC* requests uses a different responses (
    201 - abort
    ) instead of (
    200 - respond
    )

    ADAPT and parent VS OOPS on the 201 response. The response delivered from SYMC server to the client with this compatibility-mode request